What is Wyvern ransomware? And how does it carry out its attack?

Wyvern ransomware is yet another variant of the BTCWare ransomware family. This new ransomware variant was discovered by a malware security expert named Michael Gillespie. Wyvern appends its targeted files with the “.[email]-id-[id].wyvern” extension on each files. And if you’re one of the unfortunate users who have been infected with this ransomware, do not shut down your PC as there is a way to decrypt your encrypted files.

The entirety of this ransomware is almost identical to the previous variants of BTCWare. The encryption algorithm used is even the same and its ransom note is still named as HELP.hta. The main and obvious difference is the contact email address which is now decryptorx@cock.li. Aside from that slight change, the ransomware also modifies the file names of the compromised files and then append the “.[email]-id-[id].wyvern” extension to the encrypted file’s name. After the encryption process, the ransomware drops the ransom note HELP.hta containing the following text:

“All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptorx@cock.li

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.

hxxps://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:

hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.”

No matter how frantic you are to get your files back, contacting these crooks won’t guarantee you the recovery of your files. They might only pressure you into paying a huge amount. And even if you pay them, it still does not necessarily bring good results for they can’t be trusted so you might end up losing money over nothing. There is no need for you to reach that point since there are alternative ways to recover your encrypted files. This recovery method will be discussed later on along with the removal instructions which should be done first before you recover your files.

How does Wyvern ransomware proliferate?

Just like other BTCWare ransomware variants, Wyvern proliferates with its creators hacking into remote computers with weak passwords with the help of Remote Desktop services. Once they are able to get a hold of the computer, that’s the time they drop Wyvern’s malicious executable file and then launch it.

Aside from Remote Desktop services, Wyvern can also spread using spam email. These emails contains an infected attachment that when executed, connects your computer to a remote server which in turn drops the ransomware on the computer. These attachments are usually ZIP files with a JS or VBS file inside it. To be clear, the attachment itself is not the ransomware but is only some sort of a code to connect to a remote domain and download the ransomware from it.

Refer the given removal instructions below to eliminate Wyvern ransomware followed by the recovery method.

Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the Wyvern Ransomware.

Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.

Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.

Look for Wyvern ransomware or any malicious program and then Uninstall it.

Step 4: Go to the directories listed below and then look for the corrupted files such as its ransom note, HELP.hta created by the malware.

C:\Users\(your pcname)\AppData\Roaming

%TEMP%.

%USERPROFILE%\Downloads

%USERPROFILE%\Desktop

The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Wyvern ransomware created. So if you are not familiar with the Windows Registry skip to Step 9 onwards.

However, if you are well-versed in making registry adjustments, then you can proceed to step 5.

Step 5: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.

Step 6: Navigate to the following path:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Step 7: Delete the registry value named DECRYPTINFO as well as other suspicious registry value.

Step 8: Close the Registry Editor.

Step 9: Empty the Recycle Bin.

Try to recover your encrypted files using the Shadow Volume copies

Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Wyvern ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.

To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Follow the continued advanced steps below to ensure the removal of the Wyvern ransomware:

Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

Turn on your computer. If it’s already on, you have to reboot

After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

To navigate the Advanced Option use the arrow keys and select SafeMode with Networking then hit

Windows will now load the SafeMode with Networking.

Press and hold both R key and Windows key.

If done correctly, the Windows Run Box will show up.

Type in Apollolocker http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between Apollolocker and http. Click OK.

A dialog box will be displayed by Internet Apollolocker. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.